Stream and Object Anti-Virus events

The table below lists the keys and values in a message with the File Web Antivirus event type.

Information about an event with the File Web Antivirus event type

Key

Value

cs4

cs4Label

Event priority.

This value is displayed by default.

For security rules for filtering based on MIME types or file names: if a file is blocked (block action applied), the value is Low.

devicePayloadId

Session ID.

deviceDirection

Connection direction from the raw event. Possible values:

  • 0 – request
  • 1 – response

This value is displayed by default.

cs1

cs1Label

Detected object.

This value is displayed by default.

act

Action performed when the domain was visited.

This value is displayed by default.

cs3

cs3Label

Sources of the detection. One or more values can be specified.

If there are multiple detection sources, the entire chain of sources involved in the detection (list) is indicated.

Possible values (in the order of display):

  • Local
  • KSN

rt

Date and time when the event was generated on the Kaspersky NGFW device (the session was removed and ended up in the Kaspersky NGFW Session manager).

Format: 2023-12-26T12:31:54Z.

dtz

Time zone on the device

dvchost

Host name of the Kaspersky NGFW device.

This value is displayed by default.

src

Source IP address.

This value is displayed by default.

dst

Destination IP address (from which the file was downloaded).

This value is displayed by default.

proto

L3–L4 protocol.

Always TCP.

This value is displayed by default.

spt

Source port.

dpt

Destination port (from which the file was downloaded).

app

L7 protocol from the Application Control detection.

Possible value: HTTP.

This value is displayed by default.

request

Visited URL (full path).

This value is displayed by default.

cat

Software category of the detected object.

This value is displayed by default.

For security rules for filtering based on MIME types or file names: if a file is blocked (block action applied), the value is Unknown.

Possible values:

  • Malware means the file has been identified by KATA as Malware.
  • Empty value if the sending resulted in an error or if KATA is unavailable.

 

KasperskyNGFWAntivirusProfile

Triggered Anti-Virus security profile.

This value is displayed by default.

fsize

File size (taken from the http header).

msg

Body of the message.

Possible messages:

  • If the sending of objects to KATA is enabled in the triggered profile:
    • File was sent to KATA.
    • File was not sent to KATA. Connection failed means the file was not sent to KATA and was removed from the queue. The connection to KATA has been interrupted.
    • Infected file was detected by KATA means the file was recognized by KATA as malware.
  • If filtering by MIME types or file names is enabled and a file was blocked (the block action was applied): Filtered by <filtering type> filter_name: <name of triggered security rule> where <filtering type> can be mime-type-filter for filtering by MIME type or file-name-filter for filtering by file name.

Page top